LOL - Cake Poker

[YouGotPLOwned]

http://forumserver.twoplustwo.com/29/news-views-gossip/cake-encryption-vulnerabilities-838327/

Maybe your sixth sense Scuter of being superused was right. Still think they have great software?

[YouGotPLOwned]

liiiiitle surprised non of the cake advocates have commented on this yet. As a very wise man once said :

"is this thing on?"

[crash]

so wtf does this mean. I'm computer stupid so explain it to me like I'm 60. Cake is my main site but traffic has been dying.

[TableTiger1]

They gonna steal your moniez.

[TableTiger1]

Basically they didn't encrypt their traffic, so hypothetically people could steal your information (not very easy)

In other words this is how scuter made money.

You are probably safe now because there are only about 14 people on the site anymore.

[crash]

so anyone could steal my information if they were close enough to my house to intercept my wireless? or just anyone could target me from anywhere in the world somehow?

Yeah lowering the guarantees has been super annoying. WTF LEE??

I've been playing some at Carbon since that seems to be where cake's traffic has gone with sportsbook moving there. doomswitched obv., I've busted out of my last 5 tourneys on 70/30 or better including AA < Ako. LOL Donkaments.

[YouGotPLOwned]

so anyone could steal my information if they were close enough to my house to intercept my wireless? or just anyone could target me from anywhere in the world somehow?

In a nutshell yes. Obv is easier if they can intercept your wireless network - but any "hub" (for want of better simpler words) inbetween you and the cake servers can access this information.

This is the part a lot of people are skipping over. Yes there is a minimal chance someone knows where you live etc etc and gets your holecard information that way - but even scarier is someone at an ISP doing this or even worse a cake employee who has access to the physical cake network.

Essentially its HARDER to detect than what potripper did and they have access to your account username and password aswell.

And tabletiger i dont know if you have an IT background or not - but from someone who does - it is not hard at all. A first year Info Tech student at unversity/college could do this EASILY. Scratch that - a kid after a semester of TAFE could do this. Infact a couple days on the googles would give you the necessary software and skills.


Their system is so retardedly flawed - im just going to assume it was done on purpose. I cant come up with any other explanation.

[bonesy]

what's the traffic like on Carbon? are they on a network?

[crash]

what's the traffic like on Carbon? are they on a network?

Traffic is not as good as Cake yet but it is growing while

Merge network.

Which I think does not allow Australian players.

[TableTiger1]

so anyone could steal my information if they were close enough to my house to intercept my wireless? or just anyone could target me from anywhere in the world somehow?

In a nutshell yes. Obv is easier if they can intercept your wireless network - but any "hub" (for want of better simpler words) inbetween you and the cake servers can access this information.

This is the part a lot of people are skipping over. Yes there is a minimal chance someone knows where you live etc etc and gets your holecard information that way - but even scarier is someone at an ISP doing this or even worse a cake employee who has access to the physical cake network.

Essentially its HARDER to detect than what potripper did and they have access to your account username and password aswell.

And tabletiger i dont know if you have an IT background or not - but from someone who does - it is not hard at all. A first year Info Tech student at unversity/college could do this EASILY. Scratch that - a kid after a semester of TAFE could do this. Infact a couple days on the googles would give you the necessary software and skills.


Their system is so retardedly flawed - im just going to assume it was done on purpose. I cant come up with any other explanation.

Crash,

They could intercept it if they were sitting in Somalia with their dick in their hand... but I think it is easy to steal data packets and all, but using it to your advantage is quite a bit harder. I would be most worried about cake employees stealing shit left and right. All in all stop playing cake as of yesterday.

[Pok 7's]

GG Cake.



I'm sure their massive advertising campaign will help save them. After all it kept AP/UB alive through all their scandals.

[bonesy]

It's dissapointing. I liked cake. think I'll move to Full Tilt.

Anyone have a personal favorite site other then Tilt or Stars?

[bonesy]

anyone play on the ongame network. one of the few I've never tried.

[scuter]

This is literally the first I've heard of this.

I read two pages of idiotic 2+2 retardation and couldn't read on.

Someone pls tell me what the status is? Literally if I have to read another 2+2 idiot post in my life, I will kill a small mammal.

For every post.

[YouGotPLOwned]

Posted by Lee today.

Hi folks -
Various items
The software team is continuing to make good progress; the updates coming from the software manager are encouraging. I don't have a specific date yet but it should be sooner than later.
To clarify what I said on Saturday evening, I am content working for Cake and intend to continue doing so. I have no reason to believe that anybody on the Cake staff (technical or management) told me something which he knew or thought to be untrue. If I thought I'd been lied to by a colleague (particularly any executive), we'd be in a very different situation. The first difference is that either that person or I would be gone.

Similarly, I would not continue working for a company that knowingly lied to its customers. The website error is a perfect example; not updating the website was a stupid mistake, not malicious.
Those of you who are asking for a specific time-line about the series of events leading up to this mess will be disappointed; I am not going to provide a time-line. Once the technical problem is solved, we certainly have a corporate obligation to do a post-mortem and understand what happened and how. But I don't believe we have a responsibility to share those results with the public.
I know it seems that the encryption issue is all we talk about here but I am happy to answer questions on other topics; I'm not a one-trick pony.

Best regards,
Lee Jones

Cake Poker Cardroom Manager


Cliffs : Still no encryption and they continue to trade as if nothing has happened.

[YouGotPLOwned]

Quote:
Originally Posted by Lee Jones
Without excusing, in any way, our security vulnerability, this is 100% correct and is the standard protocol in the computing industry. If you find a security leak in somebody's software, you alert the company that has the software, wait an appropriate period to let them fix it, and then tell the world.

There are a million ways PTR could have "escrowed" the scoop on this. They could have alerted us and also told some respected person in the business (e.g. Kevmath and/or another respected 2+2 mod). Had we not responded, not fixed the problem, or pretended we found it ourselves, Kevmath would have been there to tell the whole story.

Once we had the problem fixed, PTR could have then gone public and said "Aha! Look at the vulnerability we found at Cake!" We'd have no way of denying that (and we wouldn't have denied it, anyway).

I say all this to get here: ask yourself why PTR would tell the world simultaneously when they told us (thus raising the risk level for anybody playing on Cake).

Best regards,
Lee Jones

Cake Poker Cardroom Manager
-------------------------------------------
Response from NoahSD :

In summary, making the vulnerability public was a terrible thing to do, but leaving your site up when the vulnerability is public is fine?

It's so incredibly unprofessional for you to completely ignore a ton of legitimate questions but still bother to chime into this thread to insult PTR. Even Cereus and Stars (who really really really hate PTR) knew enough not to do that.

It also happens to be the case that you're completely wrong about this. It's quite common in the cyber security world to release vulnerabilities publicly. There are a lot of reasons for this, but the main ones are to warn consumers about the risk and to force the company to act.

Your statement that it's "standard protocol in the computing industry" to tell the company is either naive or deliberately deceitful. Even if you were just being naive, maybe you should consider that when you're speaking for your company about a huge security blunder in an unprofessional way, you should at least make sure you know what you're talking about first. For example, you could've checked wikipedia or checked google where you would've found lots of discussion.

This post was totally classless and unprofessional. Trying to point the blame elsewhere is childish. Getting the facts so wrong is pathetic. Spend less time getting defensive and embarrassing yourself and more time protecting your customers.
-----------------------------------------------------------
Noah is owning Lees face so fucking hard

[scuter]

Yeah, I guess I assumed it would be expected that I couldn't care less what Lee Fucktard Jones has to say.

Cliffs : Still no encryption and they continue to trade as if nothing has happened.

So players need to be warned as per Cereus? This is basically an identical issue, right?

[YouGotPLOwned]

yes

[YouGotPLOwned]

and its worse than cereus considering its nearly impossible to catch the superusers with no data mining and screen name changes